ASB-A-257685302
See a problem?- Import Source
- https://storage.googleapis.com/android-osv-test/ASB-A-257685302.json
- JSON Data
- https://api.osv.dev/v1/vulns/ASB-A-257685302
- Aliases
-
- A-257685302
- CVE-2023-20938
- Published
- 2023-02-01T00:00:00Z
- Modified
- 2024-09-19T16:28:37.597357Z
- Summary
- [Binder][bug] Incorrect bound check in `binder_transaction_buffer_release` in binder.c
- Details
-
In bindertransactionbuffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- References
-
- https://source.android.com/security/bulletin/2023-02-01
- https://android.googlesource.com/kernel/common/+/baa23246e93f
- https://android.googlesource.com/kernel/common/+/3d213a626d2d
- https://android.googlesource.com/kernel/common/+/9d1efccf5ec3
- https://android.googlesource.com/kernel/common/+/b83173bf86a9
- https://android.googlesource.com/kernel/common/+/aaf236971732
- https://android.googlesource.com/kernel/common/+/ecf61e4e1117
Affected packages
Android / :linux_kernel:
Package
- Name
- :linux_kernel:
Ecosystem specific
{
"vanir_signatures": [
{
"digest": {
"length": 1430.0,
"function_hash": "57945802677388285131097155261641647313"
},
"id": "ASB-A-257685302-1552da2e",
"source": "https://android.googlesource.com/kernel/common/+/b83173bf86a9",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_translate_fd_array"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"313038343658523166098122802958393760212",
"79585464711390825773146389051625175757",
"317779735065705914265218652713383388803",
"166755683901155706002653544848751424853",
"49603946625177244447655409331865704870",
"196099616718076240974560046639620912560",
"320565108516915093738966781449632902187",
"44181199260964991641388260005340116566"
]
},
"id": "ASB-A-257685302-2470333c",
"source": "https://android.googlesource.com/kernel/common/+/3d213a626d2d",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 664.0,
"function_hash": "91869882802570489353794730447307150389"
},
"id": "ASB-A-257685302-5fc0c001",
"source": "https://android.googlesource.com/kernel/common/+/ecf61e4e1117",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_validate_fixup"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"171335071513895933684184407593823852615",
"325418759592380779109831887762015796638",
"332937077662932921333468009412047321706",
"276141416899833850205745375790761887321",
"4079439885600407237917879878128313413",
"105123348396467664253291481053206501256",
"204737502273952766487289186793575359482",
"128583920883112561240995779383957243132",
"339868506594060780308247171587246119268",
"14627703930768104670442087088049371917",
"159915512480703037822487027189685120451",
"2561234358977219620233924279977044970",
"66179632263662113519635300925958754783",
"124388178721508897478113822975235500722",
"32481842790416207709892857913848201042",
"292446978351397708820022539007114790999",
"113370200733887540242796582837106810410",
"136448339102410493426761318702850349593",
"304525695876675098162679085920684094131",
"270101087789634106786638640312885616848",
"136686632346252236927452545084974572124",
"268115394793404073965793332135000269390",
"156327223111107971670545973839891112676",
"118339170135735007929174159342865594512",
"299117685636427853904675259319319240818",
"216282612910912424023664806028242651552",
"298176824356441214070682504711865561728",
"189416767533494821807093667296734307003",
"146516978718876602036078054534935674744",
"266328633130757262502916901134092415652",
"84092113608922744965377527757994593052",
"56047827477131484440382871418356976395",
"144478590624008630579923883231529448752",
"252127214552400640217329936821107776388",
"159169346308791919967441346954204992982",
"93384550581534813993095683213776446569",
"272404684973194687530974399029958284958",
"204453388122476165211955989860727873681",
"105620736149989701760986925347424930602",
"206397993764610442578165597264234621180",
"82833711310266718373763597108249649645",
"228380810704289439125157658705172749981",
"170856108397531140798738060679654426415",
"11231285199968441033892034000843556781",
"255054076581705504454167037020205578749",
"53617137612131030922399887131964360045",
"48534919645216013854928504630155012245",
"316792453862166379538970109097758551705",
"273890691662029611280288922443820659952",
"79197573414375217578091679727071937047",
"126838830693680163958417488057650980711",
"290850874630722683322019632945070310270",
"310131076936357127579846459187285102334",
"215372859735167040187423255208971341780",
"291062044375349338443907754571626559319",
"34482563917857670547109487495528342777",
"172134048104431205250728083402640561169",
"282590568175585839312153329819282505542",
"315155901167968932616364252308014862943",
"193480537496269791291342402853198984222",
"81122600633440935369829299487512367979",
"288148170942017626711320536927022973648",
"62344002304814458109213218270931770093",
"204470245081551354799914085845754791996",
"331664817902302299707573577672352623346",
"6676078178989048166129400109647666754",
"332497652786353907120027233619836324312",
"77751336726975278052879758801921998823"
]
},
"id": "ASB-A-257685302-69c880e8",
"source": "https://android.googlesource.com/kernel/common/+/b83173bf86a9",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 18030.0,
"function_hash": "231264112836681023874653530974917757549"
},
"id": "ASB-A-257685302-6a147b30",
"source": "https://android.googlesource.com/kernel/common/+/b83173bf86a9",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_transaction"
},
"signature_type": "Function"
},
{
"digest": {
"length": 17179.0,
"function_hash": "210746506091991529203173294119143117590"
},
"id": "ASB-A-257685302-7ce724e4",
"source": "https://android.googlesource.com/kernel/common/+/ecf61e4e1117",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_transaction"
},
"signature_type": "Function"
},
{
"digest": {
"length": 1545.0,
"function_hash": "119948824473799413475964795563750262444"
},
"id": "ASB-A-257685302-9591fc53",
"source": "https://android.googlesource.com/kernel/common/+/9d1efccf5ec3",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_translate_fd_array"
},
"signature_type": "Function"
},
{
"digest": {
"length": 1555.0,
"function_hash": "61610249985876790489875390670524750316"
},
"id": "ASB-A-257685302-98679b41",
"source": "https://android.googlesource.com/kernel/common/+/baa23246e93f",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_translate_fd_array"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"331032649659762140329746357118325587818",
"187919186652363767262604227344282716371",
"193638154824715627411209064685636887206",
"125761131662848632512908218297428348287",
"235858469338214043767516813840372053488",
"207564999877910988557998500619786662118",
"95804486118658353119685414029045349828",
"182696624687549586206170809607878277140",
"141639874508149372350126717933285208646",
"104465143218031432792746587971553533570",
"136991770082207253598130283370774965008",
"259071462392032024243295072200624361416",
"75975514144403690512762410148132157210",
"67899959032322660406371579653953660302",
"164017127693028828485863229850205566265",
"277075463220841064973198334309486878090",
"114475775666788469740955988147764846277",
"15271480388400453898267304075181077374",
"30324278119300181735077070075534258475",
"281140757013475997955224013037853076134",
"303576058439284697433813223973640715914",
"128755819520080884544732033559361135362",
"77007989014537484270712497552999266862",
"90029718341534024297714048121163814760",
"64303508953871705486821018272115072596",
"297341669190664679643122445027527034287",
"189641357755601163472653188010259275972",
"266328633130757262502916901134092415652",
"19184206755870061037506901885140550467",
"22607831762225904401448839198272419152",
"162734732299696050431200819884792838973",
"155046924050975885159208047673524923333",
"275603334085135672984528440634388478821",
"163797010499279859586237025076216259816",
"261112106206145541210921848099885835173",
"299406580473306240523247703998087592969",
"7050131746381336174023626379064292566",
"9564415964560967540738060200092911767",
"251823795643657220013629050747334555663",
"183499398107863695675165911583514911687",
"30917030446581167408268688149589905257",
"81122600633440935369829299487512367979",
"325012192028996930195256894474057284344",
"49152329496976274012463120931916281653",
"170856108397531140798738060679654426415",
"195339188588366934591170321607178191982",
"20948929669783423775062448280635001904",
"307859567405713780862510378609578748820",
"23789848340119422349429263979233895155",
"213745379502025442325282339688555895387",
"113536260867180042003582703346942858658",
"262924220355841436083237106566774136383",
"256765235562957862323100146301306913538",
"226654309603514662690539653611202802837",
"274716059360982123978490194095786793827",
"34140001061243060429382988761987188390",
"61946646001172054611776366438031917779",
"16220470106246329378704050134155255506",
"32951849135974059486491216712090348280",
"203138997455811472977131135896718846490",
"264042234155545223551566569171528197941",
"108204720054035793368918776963872795123",
"77212645171851350650526329075082368946",
"52985072506018903541759667931074273038",
"195049892207750417969628958451966347784",
"265534341521180545425792405566635647219",
"99934451615264582823623705492858809277",
"115348326218142486597619428165414157305",
"68986750830794522154329956781784503222",
"204470245081551354799914085845754791996"
]
},
"id": "ASB-A-257685302-a6536268",
"source": "https://android.googlesource.com/kernel/common/+/ecf61e4e1117",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 835.0,
"function_hash": "257190768084405496496280914387137311462"
},
"id": "ASB-A-257685302-ac04bf8e",
"source": "https://android.googlesource.com/kernel/common/+/ecf61e4e1117",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_get_object"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"76413718956316227580128835055484033677",
"100993195217200887978990576864595725505",
"69579650707171643059787736796833135953"
]
},
"id": "ASB-A-257685302-b1eb7d6f",
"source": "https://android.googlesource.com/kernel/common/+/baa23246e93f",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"217924808121203078722163240254339859360",
"202156220889908926793505286111009998237",
"94240196824344451212270157435688652201",
"199041341265905909295502514476558977621"
]
},
"id": "ASB-A-257685302-b2414602",
"source": "https://android.googlesource.com/kernel/common/+/9d1efccf5ec3",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 518.0,
"function_hash": "6370078938843598649401455209708465665"
},
"id": "ASB-A-257685302-b41a9b8c",
"source": "https://android.googlesource.com/kernel/common/+/ecf61e4e1117",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_validate_ptr"
},
"signature_type": "Function"
},
{
"digest": {
"length": 3234.0,
"function_hash": "182449170348391727578650341492101035369"
},
"id": "ASB-A-257685302-c85a214b",
"source": "https://android.googlesource.com/kernel/common/+/ecf61e4e1117",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_transaction_buffer_release"
},
"signature_type": "Function"
},
{
"digest": {
"length": 1113.0,
"function_hash": "87421648900353374154151640776668162653"
},
"id": "ASB-A-257685302-f935ba46",
"source": "https://android.googlesource.com/kernel/common/+/3d213a626d2d",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_do_deferred_txn_copies"
},
"signature_type": "Function"
}
],
"fixes": [
"https://android.googlesource.com/kernel/common/+/baa23246e93f",
"https://android.googlesource.com/kernel/common/+/3d213a626d2d",
"https://android.googlesource.com/kernel/common/+/9d1efccf5ec3",
"https://android.googlesource.com/kernel/common/+/b83173bf86a9",
"https://android.googlesource.com/kernel/common/+/aaf236971732",
"https://android.googlesource.com/kernel/common/+/ecf61e4e1117"
],
"spl": "2023-02-05",
"severity": "High",
"types": [
"EoP"
]
}